<< Back to Blog

8 reasons why your site can be hacked

When you use the Internet for your business, you are confronted with a task of protecting your Internet resource. Some small Internet-based companies believe that if they don’t store the customer payment information at their web resource, no hacker attack can significantly harm their business. However, nowadays there are exist attacks that indirectly influence all participating parties, even though your resource may not have been the target of the attack.

Common scenarios

Here is a list of just a few fairly common situations:
Direct attacks:

  • Scenario 1: User theft. Your website is infiltrated with fake links and scripts that bring your customers over to your competitors.
  • Scenario 2: Price correction. Your website is infiltrated with scripts that dynamically change the prices for your goods and services to make them higher than your competitors’.
  • Scenario 3: Third party advertisement. The scripts infiltrate your website with an unauthorised advertisement.
  • Scenario 4: Breaking your web resource. These attacks make your website malfunction amidst the peak activity of an advertisement campaign or a major sale.

Apart from direct attacks, there exist a number of indirect ones that make your web resource a part of a more massive attack to other companies and their websites.
Indirect attacks

  • Scenario 1: Virus spreading. Your website is used to spread out malicious code that was uploaded to your website in disguise.
  • Scenario 2: Botnet command server creation. Your website is infiltrated with scripts that control a botnet.
  • Scenario 3: DDoS attack reinforcement. Your website is infiltrated with specialised scripts and applications that increase the number of network packets and/or HTTP requests that go through your website towards the target resource.  
  • Scenario 4: Zombie-host creation. Your web resource is remotely controlled and used as a link in a server chain hiding the real address of the attacker.  

Unlike direct attacks that cause financial loss right away, indirect attacks have delayed consequences. When your web resource is being used for these attacks, it gets added to so-called reputation database as an attacker. Being in such database harms the reputation of your company. Apart from that, the search engines exclude the websites from their databases if malicious software is detected. If you don’t detect the attack in time and don’t delete the malicious content returning to the top list of the search results will become a very hard and time-consuming task. While you’re working on it, you will be losing your current and potential customers. Active protection, constant monitoring and timely attack detection can solve this problem. For this type of tasks, RST Cloud provides you with security analysis and monitoring mechanisms.

Reputation lists

From tens to hundreds of thousands of users visit your web resource every day. Apart from human users, websites are also visited by web-crawlers. Unfortunately, among both users and web crawlers there exist a fair number of malicious ones. Some of them study your web resource, especially, if it is built on Wordpress, Joomla or Drupal, searching for vulnerabilities and some are looking for an opportunity to post ads for other websites, goods or services. We mentioned before that these actions affect your web resource reputation among your users. When you decide whether to blacklist a user or a web crawler, it’s handy to know whether their IP address has been seen performing a malicious action. Reputation lists store malicious IP addresses. RST Cloud provides you with a number of reports that allow you to check your users against the reputation lists. The Malicious Bots report allows you to figure out the malicious visitors or web crawlers that disguise themselves as legitimate search engine crawlers while trying to perform illegal actions at your web resource.

IP Reputation
Malicious Bots

Click each IP address to see all requests that have been made to your web resource from that address.

Analyse IP activity

RST Cloud analytics also allow you to see which potential spammers visited your web resource and what actions they performed. For that purpose, we provide you with the Comments Spammers IPs report.

Comment Spammers

Apart from malicious web crawlers and spammers, it’s important to know the users whose IP-addresses were used to perform attacks to other Internet resources. You can see these users and the list of requests they made in the Other Malicious IPs report.

Malicious IP addresses

At the moment RST Cloud is integrated with 15 external reputation databases, the information from which is updated every 24 hours.

Attack detection mechanisms

Besides understanding user reputation from the security point of view, it’s important to detect and investigate attacks made to your web resource. RST Cloud analytics can detect and investigate attacks even if the malefactor managed to break in and cover up the tracks by deleting the server logs of Apache, Nginx or IIS. For attack detection and monitoring, RST Cloud provides you with the following mechanisms.

  • Request signature analysis mechanism
  • Anomalous request detection mechanism

Due to a connection between the signature and behavioural mechanisms RST Cloud allows detecting not only well-known attacks but also 0-day attacks that are reflected directly or otherwise at the web server log level.

Attacks and anomalies summary

The results of the signature attack detection mechanism can be seen in the Security Attacks report. This report shows which attacks were detected and which requests contained the attack traces. Apart from attacks RST Cloud detects more than 50 vulnerability scanners’ activity. These scanners are run by malefactors to automatically detect your web resource security breaches.

Well-known attacks

Anomaly information is shown in the Security Anomalies report. This report contains all uncharacteristic requests to your website.

Anomalies Report

For attack investigation, it’s important to understand what the malefactor did and at what stage the attack has been detected. Reconstructing the sequence of the attacker’s actions not only you can detect a security breach, but also recover your system after the malicious intrusion. For that, it is crucial to analyse the whole context of the attack, including the attack itself and all requests a few moments before the attack and a few moments after. For such investigations, RST Cloud provides a separate group of reports allowing deep malefactor action analytics.

This group of reports allows to:

  1. Check the malicious IP against the reputation databases.
  2. Figure out the country that this IP comes from.
  3. Look at all actions of that IP over the last 30 days.
  4. Investigate each attack separately.

Attacker activity

Click an attack to see the attack context investigation report.

Investigation Report

This report allows you to see all requests that the attacker made over the time period of 1 to 30 minutes during which the attack has been performed. If you suspect that over the course of the attack the malefactor changed the IP address, you can include requests from other users into the investigation context.

Posted on October 18, 2016 by Nikolay Arefiev